While reviewing Symantec Endpoint Detection and Response (SEDR) events in Splunk it is noted that several fields contain duplicated data similar to the example below.
This behavior is by design.
In order to normalize data sent to Splunk, the SEDR appliance was designed to utilize the Splunk CIM. To permit troubleshooting of event transformations, the SEDR appliance provides both the raw event and normalized event data to Splunk.
Why CIM Exists:
Fields for Intrusion Detection event datasets